Re: [FUG-BR] Firewall com pf no freeBSD 7

[Willian Alves]

cara seguinte o ipfw e o filtro de pacote padrão do FreeBSD na linha de 
comando da um ipfw show e verifica as regras de firewall por padrao vem 
bloqueado tudo talvez seja por isso que nao esta funcionado seu roteamento
fica ai meu  cents.


- Original Message - 
From: "Márcio Luciano Donada" <[EMAIL PROTECTED]>
To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"" 

Sent: Monday, November 03, 2008 6:07 PM
Subject: Re: [FUG-BR] Firewall com pf no freeBSD 7


Ricardo Augusto de Souza escreveu:
> FW2# cat rc.conf
>
> # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
> # Created: Fri Oct 31 08:57:07 2008
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to /etc/defaults/rc.conf.
> # This file now contains just the overrides from /etc/defaults/rc.conf.
> ken_securelevel="1"
> kern_securelevel_enable="YES"
> pf_enable="YES"
> defaultrouter="189.xxx.xxx.xxx"
> gateway_enable="YES"
> hostname="FW2.CMT"
> ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
> ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
> inetd_enable="YES"
> keymap="br275.cp850"
> linux_enable="YES"
> sshd_enable="YES"
> FW2#
>
>


> FW2# cat rc.local
> #alias
> ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
> #rotas
> route add 10.100.0.0/24 10.100.1.1
> FW2#
>
>

Você pode colocar os alias de interface tudo no rc.conf, veja no [1].
Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC:

FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC



[1].
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html

Abraço,

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd 

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Re: [FUG-BR] Firewall com pf no freeBSD 7

[Márcio Luciano Donada]

Ricardo Augusto de Souza escreveu:
> FW2# cat rc.conf
>
> # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
> # Created: Fri Oct 31 08:57:07 2008
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to /etc/defaults/rc.conf.
> # This file now contains just the overrides from /etc/defaults/rc.conf.
> ken_securelevel="1"
> kern_securelevel_enable="YES"
> pf_enable="YES"
> defaultrouter="189.xxx.xxx.xxx"
> gateway_enable="YES"
> hostname="FW2.CMT"
> ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
> ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
> inetd_enable="YES"
> keymap="br275.cp850"
> linux_enable="YES"
> sshd_enable="YES"
> FW2#
>
>   


> FW2# cat rc.local
> #alias
> ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
> #rotas
> route add 10.100.0.0/24 10.100.1.1
> FW2#
>
>   

Você pode colocar os alias de interface tudo no rc.conf, veja no [1].
Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC:

FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC



[1].
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html

Abraço,

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

[FUG-BR] Firewall com pf no freeBSD 7

[Ricardo Augusto de Souza]

Ola, 
sou usuario de openBSD há muitos anos.
Sempre utilizei para firewall.
Recebi uma maquina de uma outra área da minha empresa para eu usar como 
firewall só que o openbsd nao é compativel com ela. ( maldita controladora 
Adaptec).

Para resolver este problema, resolvi instalar o FreeBSD nesta maquina q é uma 
IBM x3550.

Habilitei o pf no rc.conf e recompilei o kernel para usar o altq futuramente.

Já consegui compartilhar a internet para minha rede local, o problema é que nao 
consegui rotear / liberar o acesso a rede 10.100.0.0 ( minha rede mpls) para a 
rede local.
Só que nao consigo pingar nem acessar esta maquina 10.100.0.5 dos clientes que 
estao usando o freebsd como gateway.


Só para constar: estou achando o freebsd bem mas rapido do que o openbsd.


Segue abaixo os arquivos de conf utilizados.

FW2# cat rc.conf

# -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
# Created: Fri Oct 31 08:57:07 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
ken_securelevel="1"
kern_securelevel_enable="YES"
pf_enable="YES"
defaultrouter="189.xxx.xxx.xxx"
gateway_enable="YES"
hostname="FW2.CMT"
ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
inetd_enable="YES"
keymap="br275.cp850"
linux_enable="YES"
sshd_enable="YES"
FW2#

FW2# cat rc.local
#alias
ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
#rotas
route add 10.100.0.0/24 10.100.1.1
FW2#

FW2# cat pf.conf
# variaveis
ext_if = "bce0"
int_if = "bce1"
cmt_lan = "10.10.0.0/24"
cmt_lan_ti = "10.10.20.0/24"
cmt_lan_callcenter = "10.10.60.0/24"
rede_mpls = " 10.100.0.0/24 "
tcp_out_ports = "{ 53, 80, 443 }"

# run time options
scrub in all

# nat
nat on $ext_if from $cmt_lan to any port $tcp_out_ports tag CMT_LAN -> ($ext_if)
nat on $ext_if from $cmt_lan_ti to any tag CMT_LAN_TI -> ($ext_if)
nat on $ext_if from $cmt_lan_callcenter port $tcp_out_ports to any tag 
CMT_LAN_CALLCENTER -> ($ext_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $cmt_lan_ti to any port 21 -> \
127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from any to any port 21
pass in on $int_if from any to any modulate state
pass out on $int_if from any to any modulate state
pass out on $ext_if from $ext_if to any modulate state
FW2#


FW2# ping 10.100.0.5
PING 10.100.0.5 (10.100.0.5): 56 data bytes
64 bytes from 10.100.0.5: icmp_seq=0 ttl=126 time=5.250 ms
64 bytes from 10.100.0.5: icmp_seq=1 ttl=126 time=8.325 ms
64 bytes from 10.100.0.5: icmp_seq=2 ttl=126 time=6.169 ms
64 bytes from 10.100.0.5: icmp_seq=3 ttl=126 time=8.943 ms
^C
--- 10.100.0.5 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.250/7.172/8.943/1.514 ms
#

FW2# nc -v 10.100.0.5 80
Connection to 10.100.0.5 80 port [tcp/http] succeeded!
^C
FW2#


FW2# cat sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.ip.random_id=1
net.inet.ip.fastforwarding=1
net.inet.ip.process_options=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2  # blackhole pings, traceroutes, etc.
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=30
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.fallback_elf_brand=3
kern.polling.enable=1 # network interface pooling instead interrupt request
kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM
   # and prevent it from being paged out to swap
kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1
FW2#


FW2# cat /root/dmesg.txt
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU 

[FUG-BR] firewall com PF

[Cleyton Bertolim]

Pessoal, sempre utilizei o IPFilter no FreeBSD pra montar meus
firewalls, mas agora estou comecando a estudar o PF, pois me parece
ser muito bom. Sempre que montava um firewall em ipfilter, eu rodava o
nessus pra verificar a seguranca, e sempre estava muito bem
configurado, e o nessus na maioria das vezes nao encontrava nenhum
problema de seguranca, e muitas vezes, o nessus ate pensava que o IP
nao existia ou coisa parecida, pois ele dava uma mensagem que nao era
possivel encontrar o host. Pois bem, agora com o PF, nao estou
acertando nas configuracoes de firewall, pois o nessus sempre encontra
furos. Ja li varias vezes o documento oficial do PF no site do
OpenBSD, ja olhei todos os arquivos dentro de /usr/share/examples/pf/
no FreeBSD, e tambem varias dicas na internet, mas ate agora nada
resolveu meu problema.

No firewall de teste que estou montando aqui, tenho rodando pra rede
Externa apenas o SSH, que no meu caso roda na porta 50.000, e pra rede
interna o Apache (porta 80) por causa dos relatorios do Sarg e o Squid
na porta 3128. E dentro dos arquivos squid.conf e httpd.conf, esta
configurado pra rodar no ip da rede local. exemplo:
192.168.0.1:3128(squid) 192.168.0.1:80(apache). quando executo o
comando sockstat ele mostra que esta rodando apenas na interface da
rede local mesmo. Mas pelo nessus, ele diz que a porta 80 esta livre e
com furos.

Tenho redes separadas aqui na empresa onde trabalho, e varios links de
internet separados tambem, entao quando utilizo o nessus pra fazer
esses testes, tenho certesa de que nao estou testando pela rede
interna LAN.

As configuracoes deste firewall sao exatamente iguais as dos firewall
que montava usando IPFilter, a unica coisa que esta diferente agora e
que uso o PF.

Abaixo colocarei algumas informacoes dos arquivos de configuracao que
tenho neste novo firewall, e tambem o relatorio que o nessus me da
quando rodo o teste.

Se alguem puder me apontar onde estou errando, ou como melhorar a
seguranca deste firewall, agradeco desde ja a ajuda!!!

-- RELATORIO NESSUS --
201.24.73.106 1 Open Ports, 11 Notes, 2 Warnings, 1 Holes.

http (80/tcp)

 The proxy, allows everyone to perform requests
against arbitrary ports, like
'GET http://cvs.nessus.org:110'.

This problem may allow attackers to go through your
firewall, by connecting to sensitive ports like 25 (sendmail)
using your proxy. In addition to that, your proxy may be used
to perform attacks against other networks.

Solution reconfigure your proxy so that it only accepts
connections against non-dangerous ports (> 1024).

Risk Factor : High
Plugin ID : 10193

 Synopsis :

The remote web proxy server accepts requests.

Description :

The remote web proxy accepts unauthenticated HTTP requests from the
Nessus scanner. By routing requests through the affected proxy, a
user may be able to gain some degree of anonymity while browsing web
sites, which will see requests as originating from the remote host
itself rather than the user's host.

Solution
Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk Factor :

Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
Plugin ID : 10195

 The proxy accepts gopher:// requests.

Gopher is an old network protocol which predates HTTP and
is nearly unused today. As a result, gopher-compatible
software is generally less audited and more likely to contain
security bugs than others.

By making gopher requests, an attacker may evade your firewall
settings, by making connections to port 70, or may even exploit
arcane flaws in this protocol to gain more privileges on this
host (see the attached CVE id for such an example).

Solution: reconfigure your proxy so that it refuses gopher requests.

Risk Factor : Medium
CVE : CVE-2002-0371
BID : 4930
Other references : OSVDB:3004
Plugin ID : 11305

 Port is open
Plugin ID : 11219

 A web server is running on this port
Plugin ID : 10330

 An HTTP proxy is running on this port
Plugin ID : 10330

 The GET method revealed those proxies on the way to this web server :
HTTP/1.0 hercules-mmc.redesuperauto.com.br:3128 (squid/2.6.STABLE10)

Plugin ID : 11040

 Synopsis :

A web server is running on the remote host.

Description :

This plugin attempts to determine the type and the version of
the remote web server.

Risk Factor :

None

Plugin output :

The remote web server type is :

squid/2.6.STABLE10

Plugin ID : 10107

 Synopsis :

Some information about the remote HTTP configuration can be
extracted.

Description :

This test gives some information about the remote HTTP protocol - the version
used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem

Solution:

None.

Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

Protocol version : HTTP/1.0
SSL : no
Pipelining : no
Keep-Alive : no
Options allowed : (Not implemented)
Heade